____ _ _ | _ \ _____ _| |__ (_)_ __ | | | |/ _ \ \/ / '_ \| | '_ \ | |_| | (_) > <| |_) | | | | | |____/ \___/_/\_\_.__/|_|_| |_|
Title:Daniel Klimmer aka Splittic aka Cutycat
Created:Feb 3rd, 2024
Created by: Anonymous
Views: 376
Comments: 1
Username: Anonymous - (Login)
Please note that all posted information is publicly available and must follow our TOS.
DISCORD ACCOUNT
==============================================================================================================================
Discord: CutyCat2000, ID: 1200861224104116425
==============================================================================================================================
EMAIL ACCOUNTS
==============================================================================================================================
evilfiredragon53@gmail.com
danielklimmer2000@protonmail.com
info:1:1
pub:0497c6883d49164bd6d2ca4da2d56fcc34746422:22::1627177422::
uid:danielklimmer2000@protonmail.com <danielklimmer2000@protonmail.com>:1627177422::
==============================================================================================================================
OTHER DETAILS
==============================================================================================================================
GHUNT shows evilfiredragon53@gmail.com has real name "daniel klimmer".
Paypal security for danielklimmer2000@protonmail.com account recovery shows Mobile number "+49 1••• ••16793" Matches doxbin.
He has a google account registered with the phone number +49-15906116793
evilfiredragon53@gmail.com has a recovery phone number ending in 93, likely the phone number listed in doxbin. There is also one ending in 17
==============================================================================================================================
AUTOSERVICE Klimmer
==============================================================================================================================
https://www.autoservice-klimmer.de/sites/info.html
Page has © Daniel Klimmer, and looks as bad as a site made by daniel would.
Site hosted on 81.169.145.150.
https://www.shodan.io/host/81.169.145.150
==============================================================================================================================
DOXBIN
==============================================================================================================================
https://doxbin.com/upload/DanielKlimmerCutyCat
╔────────────────────────────────────────────────────────────────────────────────────────────────────────────╗
| Name: Daniel Klimmer |
| Age: 18-20 |
| Usernames: CutyCat,thefiredragon,thefiredragon05,Danit999,Daniel K. |
| Address: Ringstraße 6, 86971 Peiting |
| Work: https://www.herzogsaegmuehle.de |
| Number : +49-15906116793 |
╚────────────────────────────────────────────────────────────────────────────────────────────────────────────╝
His DC Tag : CutyCat#2329
https://doxbin.net/upload/splitticDanielKlimmer
╔────────────────────────────────────────────────────────────────────────────────────────────────────────────╗
| Name: Daniel Klimmer |
| Age: 18-20 |
| Usernames: CutyCat,thefiredragon,thefiredragon05,Danit999,Daniel K., splittic, unpredictable |
| Address: Ringstraße 6, 86971 Peiting |
| Number : +49-15906116793 |
╚────────────────────────────────────────────────────────────────────────────────────────────────────────────╝
==============================================================================================================================
ACCOUNTS
==============================================================================================================================
https://www.linkedin.com/in/daniel-klimmer-16360a274/
https://pypi.org/user/cutycat2000/
https://www.duolingo.com/profile/Cutycat2000
https://scratch.mit.edu/users/cutycat2000/
https://www.furaffinity.net/user/cutycat2000
https://huggingface.co/cutycat2000
https://directleaks.net/members/cutycat2000.136603/
https://chaturbate.com/danit999/
https://truckersmp.com/user/3007541
https://www.github.com/cutycat2000
https://gist.github.com/cutycat2000
https://www.fiverr.com/splittichost
https://www.fiverr.com/danielklimmer https://www.fiverr.com/danielklimmer/create-a-discord-bot-for-you-with-all-you-want // "splittic" shown on page
https://pypi.org/project/Splittic/1.0/ -> Author: Daniel Klimmer -> mailto:danielklimmer2000@protonmail.com
https://web.archive.org/web/20240129194938/https://www.deviantart.com/thefiredragon05
==============================================================================================================================
SPLITTIC.APP
==============================================================================================================================
Daniel aka CutyCat2000 runs a service called "splittichost" (splittic.app)
Suspected that this has some link the the celestialscape server? But im not so sure about it. Someone claims that offtime between the two was shared
Subdomain/IP information for splittic.app:
Subdomain IP Cloudflare status
autoconfig.splittic.app 45.81.234.245 CloudFlare is off
autodiscover.splittic.app 45.81.234.245 CloudFlare is off
node1.splittic.app 45.90.96.103 CloudFlare is off
node2.splittic.app 45.81.234.14 CloudFlare is off
node3.splittic.app 45.81.234.45 CloudFlare is off
status.splittic.app 188.114.97.3 CloudFlare is on
database1.splittic.app none CloudFlare is off
panel.splittic.app none CloudFlare is off
private1.splittic.app none CloudFlare is off
node1: https://www.shodan.io/host/45.90.96.103 // SPLITTIC.APP // ARCHIVED: https://web.archive.org/web/20240129225946/https://www.shodan.io/host/45.90.96.103
node2: https://www.shodan.io/host/45.81.234.14 // MC-HOST24.DE
node3: https://www.shodan.io/host/45.81.234.45 // MC-HOST24.DE
Discovered services:
Node1:
Node2:
Managed to NMAP this one myself within a sane amount of time, see ./nmap/node2.nmap.txt
Interesting things found:
Access-Control-Allow-Origin: https://panel.errorhunter.de
Node3:
https://whois.domaintools.com/45.90.96.103: // IP is owned by HT-Hosting-MNT
inetnum: 45.90.96.0 - 45.90.96.255
org: ORG-DA1340-RIPE
netname: dashserv-ffm
country: DE
admin-c: OK4398-RIPE
tech-c: OK4398-RIPE
status: SUB-ALLOCATED PA
mnt-by: HT-Hosting-MNT
created: 2023-08-21T15:58:52Z
last-modified: 2023-08-21T15:58:52Z
source: RIPE
organisation: ORG-DA1340-RIPE
org-name: dashserv
org-type: OTHER
address: RadioBotsEU UG (haftungsbeschr�nkt)
address: Reiterpfad 37
address: 33104 Paderborn
e-mail:
abuse-c: ACRO53735-RIPE
mnt-ref: HT-Hosting-MNT
mnt-by: HT-Hosting-MNT
created: 2023-08-14T11:45:46Z
last-modified: 2023-08-14T11:45:46Z
source: RIPE
person: Oliver Krimmer // VERY similar to "klimmer", but this is NOT a relative! This is just a coincidence.
address: Reiterpfad 37
phone: +49 0176 82362552
nic-hdl: OK4398-RIPE
mnt-by: RADIOBOTSEU-MNT
created: 2022-06-15T14:59:43Z
last-modified: 2022-06-15T14:59:43Z
source: RIPE
route: 45.90.96.0/24
origin: AS203446
mnt-by: HT-Hosting-MNT
created: 2023-08-21T15:59:31Z
last-modified: 2023-08-21T15:59:31Z
source: RIPE
Random splittichost stuff:
https://browser.geekbench.com/v4/cpu/16742989
https://v0.dev/t/4dzwT9KCvWt
https://www.paypal.com/donate/?hosted_button_id=VMY3RBHbKAVRA
SplitticAI downfall:
https://www.youtube.com/watch?v=kJDq0pS-8D8
==============================================================================================================================
ERRORHUNTER.DE
==============================================================================================================================
Appears to be owned by discord user "errorhunter" (ID 966341514412322857)
Subdomain IP Cloudflare status
autoconfig.errorhunter.de 45.81.234.245 CloudFlare is off
autodiscover.errorhunter.de 45.81.234.245 CloudFlare is off
node1.errorhunter.de 109.230.238.36 CloudFlare is off
node2.errorhunter.de 45.81.234.14 CloudFlare is off // IP shared with node2.splittic.app
panel.errorhunter.de 109.230.238.36 CloudFlare is off
www.errorhunter.de 142.250.185.243 CloudFlare is off
==============================================================================================================================
INCRIMINATING EVIDENCE
==============================================================================================================================
celestialscape.com is the site hosting his shit malware
Found in discord server https://discord.gg/ufvyg5F2j4 asking for help with skidding the malware he chose to use
Malicious files downloaded from his site at celestialscape.com can be found in the ./distributed-malware-files/ directory
A decompiled version ceche_installer.exe (which is a file dropped by the main installer.exe file).
This decompiled version HILARIOUSLY has plaintext python code, where the discord webhook listed below can be found
==============================================================================================================================
DISCORD WEBHOOK USED FOR C2
==============================================================================================================================
{
"application_id": null,
"avatar": null,
"channel_id": "1198766590196453451",
"guild_id": "1198766590196453448",
"id": "1198766625889976491",
"name": "Spidey Bot",
"type": 1,
"user": {
"id": "1145676460225478686",
"username": "cutycat2000",
"avatar": "c35efc4dd89668f6eb3d2bfb021366ff",
"discriminator": "0",
"public_flags": 0,
"premium_type": 3,
"flags": 0,
"banner": null,
"accent_color": null,
"global_name": "CutyCat2000",
"avatar_decoration_data": null,
"banner_color": null
},
"token": "o5oFEqip63u9TTL24hTYPL5rFBGjZ2zT5YWg9Ki-INJLXiO1nL_gjPsoABNuVfTvdB7K",
"url": "https://discord.com/api/webhooks/1198766625889976491/o5oFEqip63u9TTL24hTYPL5rFBGjZ2zT5YWg9Ki-INJLXiO1nL_gjPsoABNuVfTvdB7K"
}
==============================================================================================================================
CELESTIALSCAPE ARCHIVES
==============================================================================================================================
https://web.archive.org/web/20240129180859/https://celestialscape.com/
https://web.archive.org/web/20240129212331/http://celestialscape.com/installer.exe // MALWARE CONTAINING WEBHOOK LISTED ABOVE
==============================================================================================================================
CELESTIALSCAPE INFO
==============================================================================================================================
; <<>> DiG 9.18.21 <<>> celestialscape.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35923
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;celestialscape.com. IN A
;; ANSWER SECTION:
celestialscape.com. 300 IN A 172.67.199.12
celestialscape.com. 300 IN A 104.21.44.113
;; Query time: 36 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Mon Jan 29 21:10:04 UTC 2024
;; MSG SIZE rcvd: 79
==============================================================================================================================
RELATIONS
==============================================================================================================================
TOBIAS CYGAN
DOXBIN RESULT AT SAME HOME ADDRESS:
╔───────────────────────────────────────────────────────────────────────────────────────────────────────────╗
| Name: Tobias Cygan |
| Age: 18 |
| Address: Ringstraße 6, 86971 Peiting | // SAME ADDRESS AS DANIEL
| Work: https://www.herzogsaegmuehle.de | // SAME "WORK" AS DANIEL
| Number: +49 176 57626961 |
╚───────────────────────────────────────────────────────────────────────────────────────────────────────────╝
His DC Tag : lucifer_demon_
==============================================================================================================================
3 months ago